More than 623,000 Patients Affected by CommonSpirit Health Ransomware Attack
CommonSpirit Health has confirmed that the protected health information of at least 623,774 patients was exposed and potentially stolen in its October 2022 ransomware attack. CommonSpirit Health first announced it was dealing with a cyberattack on October 4, 2022, and has been providing regular updates on its website as more information about the attack has been uncovered. The attack was detected on October 2, 2022, with the investigation confirming the attackers had access to parts of its network between September 16 and October 3.
The last update, issued on December 1, 2022, confirmed that the individuals behind the attack accessed the data of patients who had received services in the past, or affiliates of those individuals, from Franciscan Medical Group and/or Franciscan Health (Now Virginia Mason Franciscan Health) in Washington state, including patients of St. Michael Medical Center (formerly Harrison Hospital), St. Anne Hospital (formerly Highline Hospital), St. Anthony Hospital, St. Clare Hospital, St. Elizabeth Hospital, St. Francis Hospital, and St. Joseph Hospital.
The breached data included names, addresses, phone numbers, dates of birth, and internal patient IDs. CommonSpirit Health said the breach did not affect Dignity Health, Virginia Mason Medical Center, TriHealth, or Centura Health facilities.
Suncoast Skin Solutions Reports 75,992-Record Data Breach
Suncoast Skin Solutions, a Lutz, FL-based network of medical and cosmetic dermatology practices, has recently started notifying patients that were affected by a cyberattack that was detected on or around July 14, 2021. Prompt action was taken to contain the incident, and third-party forensics experts were engaged to investigate and determine the nature and scope of the security breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The forensic investigation concluded on October 21, 2021, and revealed files on the network that contained patient data had been accessed in the attack, but its electronic medical record system was unaffected. A preliminary review was conducted to determine the types of information affected, which was completed on November 8, 2021. That review confirmed only legacy patient data was involved.
Suncoast started sending notification letters to affected individuals on November 28, 2022. In the breach notification letter sent to the Maine Attorney General, Suncoast said the lengthy delay in issuing notification letters was due to the nature and size of the affected data. The data mining process commenced in December 2021, and took until October 2022 to be completed. Suncoast explained that in the interim, in order to comply with the HIPAA Breach Notification Rule, a media notice was issued on January 7, 2022, and a notice was put on its website about the data breach.
Names, dates of birth, clinical information, doctor’s notes, and other limited treatment information were exposed and potentially compromised. Credit monitoring services have been offered to affected individuals. The breach report submitted to the HHS’ Office for Civil Rights in July indicates 57,730 individuals were affected. The more recent notification to the Maine Attorney General indicates 75,992 were affected.
